The Federal Bureau of Investigation is warning consumers about a banking scam that begins with a text message regarding a fictitious transfer of funds. In this SMSishing attack, the criminal sends a text that looks like a real fraud alert. The message asks the recipient to confirm that he or she used a banking app to transfer funds from an account. If the recipient responds with a "no," the criminal calls the target posing as a bank rep to discuss reversing the transfer. In reality, the instructions provided to the victim to reverse a transfer that never actually occurred will cause money to be sent by the victim to an account controlled by the attacker.
Launching the attack
This attack leverages bank payment apps intended to make transferring funds quick and easy. To use one of these apps, both the sender of funds and the recipient need to create user accounts that include their banking information. Once that's done, all the sender of the funds needs to provide to identify the person receiving the transfer is the recipient's email address or mobile phone number. The rest of the information required to complete the transfer is already stored in the app.The attack begins when the intended victim receives a fake transfer alert message. The text message includes the potential victim's bank name and indicates that it is a "bank fraud alert." The message asks whether the recipient authorized what these banking apps refer to as an "instant payment" of a specified amount. The amount listed is typically several thousand dollars. The recipient is asked to respond with "YES, NO, or 1 to STOP ALERTS." If the victim replies with "NO," he or she receives a follow-up text indicating that a fraud specialist from the financial institution will be in contact shortly.
Directing payment to the scammer's account
Posing as the fraud specialist, the scammer calls the target to discuss resolving the issue and reversing the transfer that never actually occurred. The scammer spoofs his phone number to make it appear as though he is calling from the bank's actual customer support line. The criminal provides step-by-step instructions to the victim to supposedly reverse the transaction. The victim is instructed to log into his bank account and to then remove his email address from the instant payment app. The criminal asks the victim to provide that email address, which is then entered into the payment app of a bank account that the criminal controls. Next, the scammer instructs the victim to perform another instant transfer payable to himself (the victim) in the same amount as the previous transaction in order to cancel it out. Because the victim removed his email address from the app and the criminal added it to his account, the funds are actually sent to the criminal's bank account. The FBI reports that, in some cases, bad actors communicated with their targets for several days before completing this scam.
Atypical characteristics of this attack
The criminals pulling off this attack apparently do their research. They know which financial institutions their victims use and, in some instances, victims have reported that these scammers also know their previous addresses, the last four digits of their bank accounts, and even their Social Security numbers. They use these details to gain their targets' trust. After all, if they weren't legitimate, how could they know these things? The FBI bulletin regarding this threat notes that, in general, scammers often have foreign accents. The bureau makes it a point to emphasize that, in this particular scam, the threat actors do not typically speak with accents.
Avoid becoming a victim
First, remember that no bank will ask you to resolve a fraudulent transaction by transferring funds between your accounts, yourself. This is not how these matters are handled. If you receive a text message or email that appears to have originated from your financial institution, understand that cybercriminals can be very skilled at making these communications look authentic. Emails may display an address in the From field that appears to be that of your bank. They may include your financial institution's logos in the body of the message. These can easily be copied and pasted into scam emails. Text messages might include some personal information that you would not expect a scammer to have. These messages often convey a sense of urgency, as is the case with fraud alerts. If you receive an email or text asking you to verify that you authorized a transaction, to call a number included in the message, or to provide any information regarding your account, do not respond directly to the request. Don't call a phone number or click a link included in the message. Instead, call or email your financial institution's fraud office using a phone number or email address you know to be correct. Go to the bank's official website and find the contact information there if you don't already have it. If you find yourself in contact with someone who may be a scammer, understand that the individual could have personal information about you, perhaps even including your account and Social Security numbers. With all of the data breaches that have occurred over the past several years, your personal information could be available to criminals. Just because they have your data doesn't mean they aren't running a scam.
Take advantage of security tools offered by your financial institution. Use multi-factor authentication (MFA) to protect your accounts. Never provide PIN/MFA codes or other account details to anyone who contacts you via email, text, or by phone.
Finally, check your accounts regularly. If you notice any unusual activity or transactions, contact your bank immediately.